Compulsory data protection audits: Opening Pandora’s box?

4 September 2013

Earlier this year, the Information Commissioner repeated his call for compulsory data protection audits of councils and NHS Trusts in response to what he referred to as “really stupid basic errors”. Giving evidence before the House of Commons Justice Select Committee on 5 February 2013, the Information Commissioner (“the Commissioner”), Christopher Graham, told MPs that the errors – which he described as “making your hair stand on end” involved, “sensitive personal information being sent to the wrong fax machine, being put in the wrong envelope, being dropped in the street, [and] being left on unencrypted laptops and memory sticks.” His call has been met with considerable resistance in some quarters – particularly within local government.

The Commissioner’s compulsory audit power is contained in s. 41A of Data Protection Act 1998 (“the Act”) – at present an “assessment notice” (more commonly referred to as a compulsory audit) may be issued only to a central government department, in order to determine whether the relevant department is complying with the data protection principles. The power does not extend to other public authorities (although they may consent to the process) but it will do so in the future if the Secretary of State makes a designating order under s. 41A (2)(b) of the Act – a power the Commissioner is urging the Secretary of State to use.

This is not the first time the Commissioner has asked for the designation of data controllers within the NHS and local government under s. 41A (2)(b), having previously put forward a business case in Autumn 2011. Whilst the Commissioner is making some progress towards winning the argument with support from the Department of Health, strong opposition remains from the Department of Communities and Local Government (“the DCLG”). A brief glance at the enforcement notices and monetary penalties imposed over the last year, begs the question why?

Mistakes

In 2012 the Commissioner issued monetary penalties on 18 councils and hospitals, worth a combined total of just over £2.2 million. A high number of penalties were imposed where sensitive records were sent to the wrong email address or fax number: in one case staff members’ sent a vulnerable individual’s medical records to the wrong address, in another sensitive information about a child protection legal case was emailed to the wrong person, and in yet another case, sensitive personal data was faxed to an incorrect and unidentified number – a mistake which was then repeated 45 times over a number of weeks in connection with another 58 patients. Unfortunately these mistakes are not new; last year’s figures mirror the Commissioner’s early 2011 findings, in which he reported that across all sectors local government received the most complaints and reported the most basic errors. Against this backdrop, the reluctance of the DCLG to embrace compulsory audits and to allow council’s to take advantage of the “free consultancy” does seem surprising.

There is however a little more to a compulsory audit than the provision of a free consultancy service.

Compulsory audit powers

To begin with, the powers of the Commissioner (pursuant to ss. 41A (3) of the Act) are extremely wide-ranging and include powers of entry, the power to request documents or other information and the power to inspect or examine any of the documents, information, equipment or material requested. Not only that, the Commissioner may ask to observe “data processing” tasks, and may ask for specified persons to be made available for interview.

Alongside these intrusive powers, the scope of review within the audit process is extremely broad; during an audit, data protection governance, training and awareness, record management, security and how requests for personal data are dealt with, are all subject to examination.

Pandora’s box

It is then fair to say that the breadth of the review coupled with the intrusiveness of the Commissioner’s powers is likely to induce anxiety in any organisation. This is particularly so for local authorities and NHS Trusts. By their very nature, councils and hospitals are responsible for processing huge quantities of, often sensitive, personal data. Unfortunately, because of the volume of the information they hold, mistakes are more likely to happen, and because of its sensitivity, mistakes are more serious when they do occur. Consequently for council’s and hospitals, opening the door to an audit may be like opening Pandora’s box.

One risk that authorities no doubt have in mind, is a situation where following on from an audit, the Commissioner makes a series of recommendations, which the authority finds (for a variety of reasons) difficult to implement. If a serious data breach were then to occur, the failure to implement will be considered an aggravating feature during any future enforcement proceeding – ultimately leading to a more severe penalty. As the Commissioner himself recognised, “you are only in serious trouble with the ICO if, having got the list, you do not do anything about it”.

Therefore, in the event that the Commissioner wins the argument on compulsory audits, hospitals and councils should ensure they take steps to put their own houses in order, before the Commissioner comes knocking on the door.